In our previous post, Manage D365 User Access through Azure Directory Groups – Part 1, originally written by Varun Katyal – HSD Dynamics 365 Technical Architect, we discussed how users can be granted access to D365 applications via Azure group teams in Dynamics. In this post, we will go through setting up security roles in a way to be able to manage access centrally.
Before we delve into the process, let’s understand that Dynamics provides two types of access privileges for users:
User privileges: A user privilege is when a security role is directly assigned to the user. Users can create and access records in Dynamics based on the privileges of the security role.
Team privileges: A team privilege is when a security role is assigned to a team and the user inherits that security role privileges as a member of the team. In this case, if the user does not have user privileges of their own, they can only create and access records with the team as owner.
Now, if user access is granted through Azure AD groups, they will inherit security privileges from the group team they are added to. The issue in this scenario is that users will not have user privileges of their own and hence, will NOT be able to own records in Dynamics. An administrator would have to assign security roles to individual users which kind of defeats the purpose of using Azure AD groups.
Well, to resolve this, a property called ‘Member’s privilege inheritance’ has been added to the security role definition which has the following values:
• Team privileges only
• Direct User (Basic) access level and Team privileges
Now, security roles that use this property will have the same default behaviour for all scenarios except when we assign a security role with member’s privilege inheritance of ‘Direct user (Basic) access level and Team privileges’ to an Azure AD group team. In this case, the team members can create records as themselves as well as their team and also access records owned by them or their team.
This property is applicable to Owner and Azure AD Group teams.
Note: There is also an important learning we came across recently while adding users to security groups. Dynamics environments can be linked with an environment/instance level security group(s) for the purpose of maintaining users against an environment. New and existing users in these security groups are automatically added to the default business unit of the environment. If the same user is present in an Azure AD Group team mapped to a Dynamics 365 team and if the team is owned by a different business unit then the user’s owning business unit will be set as the default instance level and not based on the Azure AD group team ownership.
A possible resolution can be to have the instance level security group limited to users who are not part of an Azure AD group team linked to Dynamics 365.